Skip to content

Commit 3814ac6

Browse files
haresh-sureshharesh-suresh
authored
SSPROD-48612: adding ciem roles to the cspm service account (#45)
* SSPROD-48612: adding ciem roles to the cspm service account * rm whiteline
1 parent 53574df commit 3814ac6

File tree

2 files changed

+2
-10
lines changed

2 files changed

+2
-10
lines changed

modules/config-posture/main.tf

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,8 @@ resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provide
6363
# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management)
6464
#---------------------------------------------------------------------------------------------
6565
resource "google_project_iam_member" "cspm" {
66-
for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"])
66+
# adding ciem role with permissions to the service account alongside cspm roles
67+
for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"])
6768

6869
project = var.project_id
6970
role = each.key

modules/integrations/pub-sub/main.tf

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -235,15 +235,6 @@ resource "google_service_account_iam_member" "custom_auth" {
235235
member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.ingestion_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
236236
}
237237

238-
# adding ciem role with permissions to the service account
239-
resource "google_project_iam_member" "identity_mgmt" {
240-
for_each = var.is_organizational ? [] : toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"])
241-
242-
project = var.project_id
243-
role = each.key
244-
member = "serviceAccount:${google_service_account.push_auth.email}"
245-
}
246-
247238
#-----------------------------------------------------------------------------------------------------------------------------------------
248239
# Call Sysdig Backend to add the pub-sub integration to the Sysdig Cloud Account
249240
#

0 commit comments

Comments
 (0)